REMARKS 

In the October 11, 2006, Office Action, the United States Patent and Trademark Office 
(hereinafter "the Office") objected to the drawings because the Office cannot find mentionings of 
element 116 (FIGURE 1); element 492 (FIGURE 4J); and elements 332RC-RE (FIGURE 3F). 
Claims 1-19 were rejected as being unpatentable under the judicially-created doctrine of 
obviousness-type double patenting for disclosing claimed subject matter that is disclosed in 
copending U.S. Patent Application No. 10/607,370. Claims 13-19 were rejected under 35 U.S.C. 
§ 101 as being directed to non-statutory subject matter. Claims 1-19 were rejected under 
35 U.S.C. § 102(b) as being anticipated by Emin Giin Sirer and Ke Wang, "An Access Control 
Language for Web Services," S ACM AT (June 3-4, 2002) ("Sirer et al.")- 

To address the drawing objections, the pending specification has been amended to 
mention element 116 (FIGURE 1); element 492 (FIGURE 4J); and elements 332RC-RE 
(FIGURE 3F). Withdrawal of the drawing objections is respectfully requested. To address the 
double patenting rejections, a terminal disclaimer is submitted herewith. Withdrawal of the 
double patenting rejections of Claims 1-19 is respectfully requested. Without admitting to the 
propriety of the rejections of Claims 13-19 under 35 U.S.C. § 101, Claim 13 has been amended 
to clarify the claimed invention. Withdrawal of the rejections of Claims 13-19 under 35 U.S.C. 
§ 101 is respectfully requested. Without admitting to the propriety of the rejections of 
Claims 1-19 under 35 U.S.C. § 102(b), applicants have amended Claims 1, 6, and 13 to clarify 
the claimed invention and to bring forth what was inherent in those claims. 

Prior to discussing in detail why applicants believe that all of the claims in this 
application are allowable, a brief description of applicants' invention and brief descriptions of the 
applied references are provided. The following discussions of the disclosed embodiments of 
applicants' invention and the teachings of the applied references are not provided to define the 
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scope or interpretation of any of the claims of this application. Instead, such discussions are 
provided to help the Office better appreciate important claim distinctions discussed thereafter. 
Summary of Sirer et al. 

Similar to applicant's claimed invention, Sirer et al. is directed to an access control 
language for Web services, but the similarity ends there. The language of Sirer et al. uses three 
basic security rules, which consist of predicate rules, sequence rules, and implication rules. See 
Table 1 and Section 3.1 of Sirer et al. Predicate rules resemble guarded commands as they 
specify that the action can only proceed i f the condition is satisfi ed . Sequencing rules are used to 
express temporal dependencies on a user's actions in the past. Implication rules are used to 
specify dependencies on, or requirements from, future behavior. For instance, implications can 
be used to specify that, following a user's visit to a page to initiate a transaction, either the user 
must visit another URL to compete the transaction, or the system ought to abort the transaction 
and clean up system state. 

Applicant's claimed invention does not make use of predicate rules, sequence rules, and 
implication rules, which are required by the system of Sirer et al. for his system to work 
properly. 

The Claims Distinguished 

The Office has failed to show, and applicants are unable to find, where the cited and 
applied reference discloses the subject matter of the claimed invention. For example, the cited 
and applied reference fails to teach "a user Web service for representing a user having an 
expressed user access scope and a content Web service for representing a piece of content having 
an expressed content access scope," as recited in Claims 1, 6, and 13, albeit in a different 
manner. 
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The Office has indicated that the above pre-amended recited claim limitation of Claim 1 
can be found at Section 3.1 of Sirer et al, a portion of which reads as follows: 

In the discussion below, we provide a simplified running example from an 
e-publishing system. To authenticate a user, a web server typically will 
check a submitted password and issue a crypto graphically encrypted 
authentication token. This operation can be specified in our policy 
language with the following implication clause: 

http://sitename/login(user userid, passwd passwordid) AND 
MDSHash(passwordid) = Extract(user, "password", user_col=userid) 
IMPLIES CreateAuthToken(token name, userid, passwordid) 

Nothing in Sirer et al. discloses the claimed invention. The claimed invention requires "a 
user Web service for representing a user having an expressed user access scope," as recited in 
Claim 1, and it also requires "a content Web service for representing a piece of content having an 
expressed content access scope". In other words, not only must there be an expressed user 
access scope but in addition there must be an expressed content access scope. In contrast, Sirer 
et al. advocates the use of a language to specify security policies for one access scope, which 
only pertain to actions. This teaches precisely opposite from what is required by the claimed 
invention as recited in Claim 1 in which not only an expressed user access scope be made 
explicit but also an expressed content scope. Neither can be found in the teachings of Sirer et al. 

Moreover, the claimed invention requires "the user Web service communicating with the 
content Web service to access the piece of content when the expressed user access scope 
overlaps with the expressed content access scope without using predicate rules, sequencing rules, 
and implication rules " as recited in Claim 1 among other limitations. Section 3.1 of Sirer et al., 
as cited and applied by the Office, reads as follows: 

The types of access control specifications most commonly used by web 
applications consist of predicate rules, sequencing rules and implication 
rules. Predicate rules resemble guarded commands, as they specify that 
the action can only proceed if the condition is satisfied. Sequencing rules 
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are used to expressed temporal dependencies on a user's actions in the 
past. Implication rules are used to specify dependencies on, or 
requirements from, future behaviour. For instance, implications can also 
be used to specify that, following a user's visit to a page to initiate a 
transaction, either the user must visit another URL to complete the 
transaction, or the system ought to abort the transaction and clean up 
system state. 

These teachings of Sirer et al. are the opposite of what is required by the claimed 
invention. A user's access scope, unlike in a role-based access control model, can be expressed 
independently of the access scope of the piece of content. The determination of when a user has 
permission to access a piece of content is made at access time by determining whether there is an 
overlap between the access scope of a user and the access scope of a piece of content. This 
decoupling is possible, allowing the piece of content to be granted to classes of users without 
ever needing to form an explicit relationship tying users to the piece of content (which is what 
the language of Sirer et al is trying to do by forcing programmers to specify upfront who can 
access what). Under the claimed invention, access scopes of users may be completely defined 
via expressions without needing to determine which pieces of content are accessible via certain 
access scopes, and, at the same time, access scopes of pieces of content may be completely 
defined via expressions without any reference to classes of users. This reduces the size of the 
permission space, hence reducing exponential role explosion and simplifying administration of 
the system. Because Sirer et al. does not disclose the identical subject matter, a prima facie case 
of anticipation has not been established by the Office. 

The Office has also failed to show, and applicants are unable to find, where the cited and 
applied reference discloses "requesting the discovery framework by the content Web service for 
an access evaluator Web service to evaluate whether an access scope of the user Web service 
overlaps with an access scope of the content Web service to grant access to the piece of content, 
the access scope of the user Web service being: conveyed in a first expression independently 
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from a second expression that conveys the access scope of the content Web service without using; 
predicate rules, sequencing rules, and implication rules ," as recited in Claim 6, among other 
limitations. Consequently, a prima facie case of anticipation has not been established by the 



The Office has also failed to show, and applicants are unable to find, where the cited and 
applied reference discloses "requesting the discovery framework by the content Web service for 
an access evaluator Web service to evaluate whether an access scope of the user Web service 
overlaps with an access scope of the content Web service to grant access to the piece of content 
without forming an explicit relationship tying the user Web service to the content Web service 
via predicate rules, sequence rules, and implication rules ," as recited in Claim 13, among other 
limitations. Consequently, a prima facie case of anticipation has not been established by the 
Office. 

Because the Office has failed to state a prima facie case of anticipation, the rejections 
should be withdrawn. Independent Claims 1, 6, and 13 are clearly patentably distinguishable 
over the cited and applied references. Claims 2-5, 6-12, and 14-19 are allowable because they 
depend from allowable independent claims and because of the additional limitations added by 
those claims. Consequently, reconsideration and allowance of Claims 1-19 is respectfully 
requested. 



Office. 
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